From 811bfc4aa33930804bda33d89e8c1e4472b94743 Mon Sep 17 00:00:00 2001 From: "ryan-distrust.co" Date: Tue, 16 May 2023 03:44:24 -0400 Subject: [PATCH] k/digitalocean: add a Certificate for snapshot validation webhook --- .../csi-driver/kustomization.yaml | 1 - .../csi-driver/webhook/kustomization.yaml | 4 + .../csi-driver/webhook/kustomizeconfig.yaml | 7 ++ .../resources.yaml} | 86 ++++++++++++------- .../digitalocean/kustomization.yaml | 25 ++++++ 5 files changed, 89 insertions(+), 34 deletions(-) create mode 100644 kustomizations/digitalocean/csi-driver/webhook/kustomization.yaml create mode 100644 kustomizations/digitalocean/csi-driver/webhook/kustomizeconfig.yaml rename kustomizations/digitalocean/csi-driver/{snapshot-validation-webhook.yaml => webhook/resources.yaml} (57%) diff --git a/kustomizations/digitalocean/csi-driver/kustomization.yaml b/kustomizations/digitalocean/csi-driver/kustomization.yaml index 1448575..5955944 100644 --- a/kustomizations/digitalocean/csi-driver/kustomization.yaml +++ b/kustomizations/digitalocean/csi-driver/kustomization.yaml @@ -4,7 +4,6 @@ namespace: digitalocean-csi resources: - driver.yaml - crds.yaml -- snapshot-validation-webhook.yaml - snapshot-controller.yaml images: - name: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v6.0.1 diff --git a/kustomizations/digitalocean/csi-driver/webhook/kustomization.yaml b/kustomizations/digitalocean/csi-driver/webhook/kustomization.yaml new file mode 100644 index 0000000..660c50c --- /dev/null +++ b/kustomizations/digitalocean/csi-driver/webhook/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- resources.yaml diff --git a/kustomizations/digitalocean/csi-driver/webhook/kustomizeconfig.yaml b/kustomizations/digitalocean/csi-driver/webhook/kustomizeconfig.yaml new file mode 100644 index 0000000..4817f8e --- /dev/null +++ b/kustomizations/digitalocean/csi-driver/webhook/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +nameReference: + - kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name diff --git a/kustomizations/digitalocean/csi-driver/snapshot-validation-webhook.yaml b/kustomizations/digitalocean/csi-driver/webhook/resources.yaml similarity index 57% rename from kustomizations/digitalocean/csi-driver/snapshot-validation-webhook.yaml rename to kustomizations/digitalocean/csi-driver/webhook/resources.yaml index ec0639d..918c923 100644 --- a/kustomizations/digitalocean/csi-driver/snapshot-validation-webhook.yaml +++ b/kustomizations/digitalocean/csi-driver/webhook/resources.yaml @@ -16,26 +16,25 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: "validation-webhook.snapshot.storage.k8s.io" + annotations: + cert-manager.io/inject-ca-from: default/snapshot-validation webhooks: - - name: "validation-webhook.snapshot.storage.k8s.io" - rules: - - apiGroups: ["snapshot.storage.k8s.io"] - apiVersions: ["v1", "v1beta1"] - operations: ["CREATE", "UPDATE"] - resources: ["volumesnapshots", "volumesnapshotcontents"] - scope: "*" - clientConfig: - service: - namespace: "kube-system" - name: "snapshot-validation-service" - path: "/volumesnapshot" - # XXX Uncomment and populate the CA bundle field accordingly if a dedicated - # CA is to be used. - # caBundle: ${CA_BUNDLE} - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - failurePolicy: Fail - timeoutSeconds: 5 +- name: "validation-webhook.snapshot.storage.k8s.io" + rules: + - apiGroups: ["snapshot.storage.k8s.io"] + apiVersions: ["v1", "v1beta1"] + operations: ["CREATE", "UPDATE"] + resources: ["volumesnapshots", "volumesnapshotcontents"] + scope: "*" + clientConfig: + service: + namespace: "kube-system" + name: "snapshot-validation-service" + path: "/volumesnapshot" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + failurePolicy: Fail + timeoutSeconds: 5 --- @@ -63,21 +62,20 @@ spec: spec: serviceAccountName: snapshot-validation containers: - - name: snapshot-validation - image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0 - imagePullPolicy: IfNotPresent - args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/cert.pem', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/key.pem'] - ports: - - containerPort: 443 - volumeMounts: - - name: snapshot-validation-webhook-certs - mountPath: /etc/snapshot-validation-webhook/certs - readOnly: true - volumes: + - name: snapshot-validation + image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0 + imagePullPolicy: IfNotPresent + args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key'] + ports: + - containerPort: 443 + volumeMounts: - name: snapshot-validation-webhook-certs - secret: - # XXX Populate the secret properly with a certificate and key - secretName: snapshot-validation-secret + mountPath: /etc/snapshot-validation-webhook/certs + readOnly: true + volumes: + - name: snapshot-validation-webhook-certs + secret: + secretName: snapshot-validation-secret --- @@ -126,3 +124,25 @@ roleRef: kind: ClusterRole name: snapshot-validation apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: snapshot-validation +spec: + dnsNames: + - snapshot-validation-service + - snapshot-validation-service.default.svc + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: snapshot-validation-secret diff --git a/kustomizations/digitalocean/kustomization.yaml b/kustomizations/digitalocean/kustomization.yaml index 27588a7..4267c03 100644 --- a/kustomizations/digitalocean/kustomization.yaml +++ b/kustomizations/digitalocean/kustomization.yaml @@ -4,5 +4,30 @@ namespace: kube-system resources: - cloud-controller-manager - csi-driver +- csi-driver/webhook generators: - secret-generator.yaml +replacements: +- source: + kind: Certificate + fieldPath: metadata.namespace + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / +- source: + kind: Service + fieldPath: metadata.namespace + name: snapshot-validation-service + targets: + - select: + kind: Certificate + name: snapshot-validation + fieldPaths: + - spec.dnsNames.1 + options: + delimiter: . + index: 1